File vino-CVE-2011-0904_0905.patch of Package vino

Overview Repositories Revisions Requests Users Attributes Meta

File vino-CVE-2011-0904_0905.patch of Package vino

From af7847f11681770018ed6e7f86e7a31feabf9963 Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Tue, 26 Apr 2011 22:31:36 +0200
Subject: [PATCH] Avoid out-of-bounds memory accesses

This fixes two critical security vulnerabilities that lead to an
out-of-bounds memory write and read with a crafted client framebuffer
update request packet. The dimensions of the update from the packet are
checked to ensure that they are within the screen dimensions.

Thanks to Kevin Chen from the Bitblaze group for the reports in bugs
641802 and 641803. The CVE identifiers for these vulnerabilities are
CVE-2011-0904 and CVE-2011-0905.
---
 server/libvncserver/rfbserver.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
index 8c35853..f02a7f9 100644
--- a/server/libvncserver/rfbserver.c
+++ b/server/libvncserver/rfbserver.c
@@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl,
         cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader
                                       + w * (cl->format.bitsPerPixel / 8) * h);
 
+        /* Validate the rectangle given by the update packet. */
+        if (w + x > cl->screen->width || h + y > cl->screen->height)
+            goto tx_error;
+
         switch (cl->preferredEncoding) {
         case rfbEncodingRaw:
             if (!rfbSendRectEncodingRaw(cl, x, y, w, h))
-- 
1.7.3.4

Places

File vino-CVE-2011-0904_0905.patch of Package vino

Places